<!doctype html><!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en-us" > <![endif]--><!--[if IE 7]>    <html class="no-js lt-ie9 lt-ie8" lang="en-us" >        <![endif]--><!--[if IE 8]>    <html class="no-js lt-ie9" lang="en-us" >               <![endif]--><!--[if gt IE 8]><!--><html class="no-js" lang="en-us"><!--<![endif]--><head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="author" content="Roi Kol">
    <meta name="description" content="BPF is a popular and powerful technology embedded in the Linux kernel and can potentially be used by threat actors as part of their malicious arsenal.">
    <meta name="generator" content="HubSpot">
    <title>Detecting eBPF Malware with Tracee</title>
    <link rel="shortcut icon" href="https://blog.aquasec.com/hubfs/PNG__2020%20Aqua%20Logomark%20Color.png">
    

    
    <meta property="og:description" content="BPF is a popular and powerful technology embedded in the Linux kernel and can potentially be used by threat actors as part of their malicious arsenal.">
    <meta property="og:title" content="Detecting eBPF Malware with Tracee">
    <meta name="twitter:description" content="BPF is a popular and powerful technology embedded in the Linux kernel and can potentially be used by threat actors as part of their malicious arsenal.">
    <meta name="twitter:title" content="Detecting eBPF Malware with Tracee">

    

    
    <style>
a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px}
</style>

<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/comments_listing_asset.css">
<link rel="stylesheet" href="/hs/hsstatic/AsyncSupport/static-1.122/sass/rss_post_listing.css">
    <script type="application/ld+json">
{
  "mainEntityOfPage" : {
    "@type" : "WebPage",
    "@id" : "https://blog.aquasec.com/detecting-ebpf-malware-with-tracee"
  },
  "author" : {
    "name" : "Roi Kol",
    "url" : "https://blog.aquasec.com/author/roi-kol",
    "@type" : "Person"
  },
  "headline" : "Detecting eBPF Malware with Tracee",
  "datePublished" : "2023-07-19T12:30:46.000Z",
  "dateModified" : "2023-07-20T18:05:27.174Z",
  "publisher" : {
    "name" : "Aqua Security",
    "logo" : {
      "url" : "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/logo_aqua-2.svg",
      "@type" : "ImageObject"
    },
    "@type" : "Organization"
  },
  "@context" : "https://schema.org",
  "@type" : "BlogPosting",
  "image" : [ "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/ebpf-blog-2023-1-1200x582.jpg" ]
}
</script>


    
<!--  Added by GoogleAnalytics integration -->
<script>
var _hsp = window._hsp = window._hsp || [];
_hsp.push(['addPrivacyConsentListener', function(consent) { if (consent.allowed || (consent.categories && consent.categories.analytics)) {
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  ga('create','UA-63272154-1','auto');
  ga('send','pageview');
}}]);
</script>

<!-- /Added by GoogleAnalytics integration -->

<!--  Added by GoogleAnalytics4 integration -->
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}

if (!window._hsGoogleConsentRunOnce) {
  window._hsGoogleConsentRunOnce = true;

  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied'
  });

  var _hsp = window._hsp = window._hsp || [];

  _hsp.push(['addPrivacyConsentListener', function(consent){
    var hasAnalyticsConsent = consent && (consent.allowed || (consent.categories && consent.categories.analytics));
    var hasAdsConsent = consent && (consent.allowed || (consent.categories && consent.categories.advertisement));

    gtag('consent', 'update', {
      'ad_storage': hasAdsConsent ? 'granted' : 'denied',
      'analytics_storage': hasAnalyticsConsent ? 'granted' : 'denied'
    });
  }]);
}

gtag('js', new Date());
gtag('set', 'developer_id.dZTQ1Zm', true);
gtag('config', 'G-D2G99SQ9HG');
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-D2G99SQ9HG"></script>
<!-- /Added by GoogleAnalytics4 integration -->


<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5N9T3H');</script>
<!-- End Google Tag Manager -->

<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">

<link rel="amphtml" href="https://blog.aquasec.com/detecting-ebpf-malware-with-tracee?hs_amp=true">

<meta property="og:image" content="https://blog.aquasec.com/hubfs/ebpf-blog-2023-1-1200x582.jpg#keepProtocol">
<meta property="og:image:alt" content="detecting ebpf malware">
<meta name="twitter:image" content="https://blog.aquasec.com/hubfs/ebpf-blog-2023-1-1200x582.jpg#keepProtocol">
<meta name="twitter:image:alt" content="detecting ebpf malware">

<meta property="og:url" content="https://blog.aquasec.com/detecting-ebpf-malware-with-tracee">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://blog.aquasec.com/detecting-ebpf-malware-with-tracee">
<!-- Google Search consolde tag -->
<meta name="google-site-verification" content="PIrdhYZitmfjtBPSTPmEnlarvsbAf1WzRIpARVTY6D0">

<!-- SEO - Images -->
<meta name="robots" content="max-image-preview:large">
<meta property="og:type" content="article">
<link rel="alternate" type="application/rss+xml" href="https://blog.aquasec.com/rss.xml">
<meta name="twitter:domain" content="blog.aquasec.com">
<meta name="twitter:site" content="@AquaSecTeam">

<meta http-equiv="content-language" content="en-us">
<link rel="stylesheet" href="//cdn2.hubspot.net/hub/7052064/hub_generated/template_assets/1692358907045/hubspot/hubspot_default/shared/responsive/layout.min.css">


<link rel="stylesheet" href="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165869/1691504001418/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_styles.css">




</head>
<body class="blog custom-blog-post-page   hs-content-id-125114926183 hs-blog-post hs-blog-id-3657573699" style="">
    <div class="header-container-wrapper">
    <div class="header-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7511165832.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- navbar_wrap starts -->
<div class="navbar_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="navbar-header"> 
<a class="navbar-brand" href="https://www.aquasec.com">Aqua Security</a>
<a href="#" id="menu-icon" aria-label="Click to open the mobile menu"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></a>
</div>
<nav class="navbar">
<ul id="main_menu_v2" class="nav navbar-nav">
<li class="menu-item"><a href="https://www.aquasec.com/products/aqua-cloud-native-security-platform/">Products</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/solutions/kubernetes-container-security/">Solutions</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/resources/">Resources</a></li>
<li class="menu-item"><a href="https://www.aquasec.com/about-us/">Company</a></li>
</ul>
</nav>
<div class="header_ctas">
<a href="#" class="search_box" aria-label="Click to open the search form">Search</a>
<a href="https://cloud.aquasec.com/signin" class="type_txt" style="display:none;">Sign In</a>	
<a href="https://www.aquasec.com/demo/" class="type_btn">Try Aqua</a>	
</div>
<div class="search_box_wrap">						
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>
<div class="search_box_close"></div>
</div>
</div><!-- page-center -->
<!--<div class="search_box_wrap">
<div class="page-center">
<div>
<script type="text/javascript">
var customConfigId = '574643120';
var javasriptResourceUrl = 'https://ui.customsearch.ai/api/ux/render?customConfig=574643120&market=en-US&safeSearch=Moderate';
var s = document.createElement('script');
s.setAttribute('type', 'text/javascript');
s.id = 'bcs_js_snippet';
s.src = javasriptResourceUrl;
var scripts = document.getElementsByTagName("script"),
currentScript = scripts[scripts.length-1];
currentScript.parentElement.appendChild(s);
</script>
</div>
<div class="search_box_close"></div>
</div>
</div>-->
</div><!-- row-fluid -->
</div><!-- container-fluid -->
</div>
<!-- navbar_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1553358480707282" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><!-- header_title_wrap starts -->
<div class="header_title_wrap">
<div class="container-fluid">
<div class="row-fluid">
<div class="page-center">
<div class="row">
<div class="span10">
<a href="/"><div class="header_title">Aqua Blog</div></a>
<!--<div class="header_subtitle"></div>-->
</div>
</div>
</div>
</div><!-- row-fluid -->
</div><!-- container-fluid -->
<div class="generic_header_blue_waves_top"></div>
<div class="generic_header_blue_waves_bottom"></div>
<div class="bluewaves_bg_sunrays"></div>		
</div>
<!-- header_title_wrap ends --></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end header -->
</div><!--end header wrapper -->

<div class="body-container-wrapper">
    <div class="body-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-cell page-center content-wrapper" style="" data-widget-type="cell" data-x="0" data-w="12">

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span9 widget-span widget-type-cell blog-content" style="" data-widget-type="cell" data-x="0" data-w="9">

<div class="row-fluid-wrapper row-depth-1 row-number-3 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12">


<div class="custom-blog-post-content">
  <div class="blog-section">
    <div class="blog-post-wrapper cell-wrapper">

      <div class="section post-header">
        <div class="post-banner-image">
          <img srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/ebpf-blog-2023-1-1200x582.jpg?width=480&amp;name=ebpf-blog-2023-1-1200x582.jpg 480w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/ebpf-blog-2023-1-1200x582.jpg?width=870&amp;name=ebpf-blog-2023-1-1200x582.jpg 870w" sizes="(max-width: 600px) 480px, 870px" class="hs-image-widget" src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/ebpf-blog-2023-1-1200x582.jpg?width=870&amp;height=421&amp;name=ebpf-blog-2023-1-1200x582.jpg" alt="Detecting eBPF Malware with Tracee" width="870" height="421"> 
        </div>

        <div class="post-date">
          
          
<div class="small-author-profile-link">
  <div class="small-author-profile small-author-profile-with-avatar">
    
    

    
    
      <a href="/author/roi-kol" class="small-author-avatar">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=48&amp;height=48&amp;name=Roi%20Kol.jpg" alt="Picture of Roi Kol" width="48" height="48" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=24&amp;height=24&amp;name=Roi%20Kol.jpg 24w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=48&amp;height=48&amp;name=Roi%20Kol.jpg 48w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=72&amp;height=72&amp;name=Roi%20Kol.jpg 72w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=96&amp;height=96&amp;name=Roi%20Kol.jpg 96w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=120&amp;height=120&amp;name=Roi%20Kol.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=144&amp;height=144&amp;name=Roi%20Kol.jpg 144w" sizes="(max-width: 48px) 100vw, 48px">
      </a>
    
    

    <div class="post-name-detail">
      <div class="small-author-name author-name-line">
        
        <a href="/author/roi-kol">Roi Kol</a>
        
      </div>

      <div class="post-date-detail">
        July 19, 2023
      </div>
    </div>
  </div>
</div>

        </div>

        <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Detecting eBPF Malware with Tracee</span></h1>
      </div>

      <div class="section post-body">
        <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p>eBPF is a popular and powerful technology embedded in the Linux kernel. It is widely used by many security tools for monitoring kernel activity to detect and protect organizations. eBPF, however, can potentially be a dual edged sword as it can be used by threat actors as part of their malicious arsenal. Lately, we have seen a rise in the number of eBPF based tools used for malicious goals such as rootkits (<a href="https://github.com/Gui774ume/ebpfkit" rel="noopener" target="_blank">ebpfkit,</a> <a href="https://github.com/h3xduck/TripleCross" rel="noopener" target="_blank">TripleCross</a>) and malwares (<a href="https://github.com/citronneur/pamspy" rel="noopener" target="_blank">pamspy</a>). In this blog we explain how eBPF is used to instrument the kernel and demonstrate how we detected malicious usage of the eBPF. <!--more--></p>
<h2>Understanding pamspy – eBPF malware</h2>
<p>Pamspy is a Linux malware designed to collect credentials by leveraging eBPF technology to track user-space functions inside the Pluggable Authentication Modules (PAM) library. PAM is used by many critical applications to handle authentication (such as sudo, sshd, passwd etc.) and thus it allows attackers to collect clear text credentials.</p>
<p>By utilizing eBPF uprobes technology "Pamspy is hooking the  '<span style="font-family: 'Courier New', Courier, monospace;">pam_get_authtok ()function'"</span> from <span style="font-family: 'Courier New', Courier, monospace;">‘libpam.so’</span>. The <span style="font-family: 'Courier New', Courier, monospace;">'pam_get_authtok()function'</span> is responsible for returning the user authentication token, which includes the clear text username and password of the user. Next, future authentication "requests will call  '<span style="font-family: 'Courier New', Courier, monospace;">pam_get_authtok()function'</span>, and since Pamspy has hooked this function, it can now collect clear text credentials in the system.</p>
<p>Since Pamspy is using an eBPF program to steal secrets, traditional security controls that focus on the user-space may completely miss this malware. Thus, we wish to show you how eBPF technology is used by security tools such as Aqua Tracee to overcome this problem and detect eBPF malwares and rootkits. &nbsp;</p>
<h3>Harnessing eBPF to detect malicious eBPF</h3>
<p>We aim to detect tools that are using eBPF technology to monitor the system. Some malicious tools monitor kernel functions (for instance file system writes, resources enumeration), while others monitor user-space functions to collect sensitive data such as passwords. &nbsp;</p>
<p>We can use eBPF program to detect malicious eBPF use. But we’ve discovered that for security purposes it’s not enough to just detect the load of a eBPF program, because the obtained information lacked the context of which system events trigger the eBPF program. Thus, we found a solution by utilizing Perf events to obtain the missing context information.</p>
<p>But first let’s set a background about what is eBPF and what are Perf events.&nbsp;<br>In general, eBPF programs are small blocks of code that are triggered by events within the system. They serve to extend the functionality of the Linux kernel but have certain limitations on what they can accomplish. Primarily, they are used for tracing purposes. The kernel incorporates mechanisms to create and load these programs, restrict them from performing undesirable actions, and ensure they do not cause crashes.</p>
<p>eBPF programs can be associated with various events in the system, such as resource allocation, socket operations, kernel events, and networking. However, in this article, our focus is on kernel instrumentation, specifically monitoring kernel operations.&nbsp;</p>
<p>To enable performance monitoring and kernel instrumentation, Perf events were introduced into the kernel. They serve as means to probe specific points within the kernel, enabling system monitoring, troubleshooting, and tracing. Perf events are utilized to monitor kernel operations and performance metrics, such as CPU consumption, measurement counting, and more. These events can be triggered either by system events or periodically to sample desired information.</p>
<p>When considering the interaction between eBPF programs and Perf events, eBPF programs can be triggered by Perf events. While eBPF programs can typically be attached to numerous system events, we will concentrate on five specific events in this blog:</p>
<ol>
<li><strong><span style="text-decoration: underline;">Tracepoints:</span></strong> These are predefined strategic points in the kernel that offer valuable information about the ongoing execution of the kernel.</li>
<li><strong><span style="text-decoration: underline;">Kprobes:</span></strong> These are dynamically defined points in the kernel that provide useful information for the person who sets them, usually upon function entry.</li>
<li><strong><span style="text-decoration: underline;">Kretprobes:</span></strong> Similar to kprobes, these points are defined dynamically in the kernel but trigger upon function exit.</li>
<li><span style="text-decoration: underline;"><strong>Uprobes:</strong></span> Similar to kprobes, but designed for user-space programs rather than the kernel.</li>
<li><strong><span style="text-decoration: underline;">Uretprobes:</span></strong> Similar to kretprobes, but intended for user-space programs.</li>
</ol>
<p>By leveraging these probes using Perf, eBPF programs can effectively trace and monitor the specified areas within the kernel, providing valuable insights into system behavior and performance.</p>
<h3>Triggering eBPF programs with Pref events</h3>
<p>To gain a deeper understanding of how eBPF and Perf interact, we will explore the process of setting up triggers for eBPF programs. At a higher level, the following steps need to be taken:</p>
<ol>
<li>Open a Perf event: Begin by initiating a Perf event, which serves as the trigger for our eBPF program.</li>
<li>Load an eBPF program: Develop an eBPF program that contains the desired functionality or logic. Once created, load the program into the system.</li>
<li>Attach the Perf event to the eBPF program: Establish a connection between the Perf event and the eBPF program by associating the two. This ensures that the eBPF program is triggered whenever the designated Perf event occurs.</li>
</ol>
<p>By following these steps, we can effectively set up the necessary connections between Perf events and eBPF programs, allowing us to monitor and trace specific behaviors within the system.</p>
<p><span style="text-decoration: underline;"><span style="font-weight: bold;">Step 1: Opening Perf events&nbsp;</span></span><br>As mentioned above we focus on 5 Perf events for kernel instrumentation with eBPF <span style="font-family: 'Courier New', Courier, monospace;">(tracepoints, k(ret)probes, u(ret)probes)</span>. &nbsp;</p>
<p>Tracepoints already exist in the system so the user does not need to create them. You can simply open them using the <span style="font-family: 'Courier New', Courier, monospace;">pref_event_open() syscall</span>. As for the <span style="font-family: 'Courier New', Courier, monospace;">k(ret)probes/u(ret)probes,</span> they’re not existing apriory in the system and thus you need to create them. If you are using the kernel version 4.17 and above, <span style="font-family: 'Courier New', Courier, monospace;">perf_event_open() syscall </span>can create the probes for you. But if you’re using lower kernel versions you need to create them with a legacy option which will be described next:</p>
<p>1. The <span style="font-family: 'Courier New', Courier, monospace;">k(ret)probes</span> or <span style="font-family: 'Courier New', Courier, monospace;">u(ret)probes</span> are created separately using the tracefs under <span style="font-family: 'Courier New', Courier, monospace;">‘/sys/kernel/tracing/’</span> (or <span style="font-family: 'Courier New', Courier, monospace;">‘/sys/kernel/debug/tracing/’</span> for old kernels).&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/tracefs_carbon.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=900&amp;height=161&amp;name=tracefs_carbon.jpg" alt="tracefs_carbon" width="900" height="161" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=450&amp;height=81&amp;name=tracefs_carbon.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=900&amp;height=161&amp;name=tracefs_carbon.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=1350&amp;height=242&amp;name=tracefs_carbon.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=1800&amp;height=322&amp;name=tracefs_carbon.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=2250&amp;height=403&amp;name=tracefs_carbon.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/tracefs_carbon.jpg?width=2700&amp;height=483&amp;name=tracefs_carbon.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>2. In order to create a<span style="font-family: 'Courier New', Courier, monospace;"> k(ret)probe</span> event or a <span style="font-family: 'Courier New', Courier, monospace;">u(ret)probe</span> event, you can write to <span style="font-family: 'Courier New', Courier, monospace;">‘/sys/kernel/tracing/kprobe_events’</span> and <span style="font-family: 'Courier New', Courier, monospace;">‘/sys/kernel/tracing/uprobe_events’</span> respectively.&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/probe_events_carbon.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=900&amp;height=91&amp;name=probe_events_carbon.jpg" alt="probe_events_carbon" width="900" height="91" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=450&amp;height=46&amp;name=probe_events_carbon.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=900&amp;height=91&amp;name=probe_events_carbon.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=1350&amp;height=137&amp;name=probe_events_carbon.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=1800&amp;height=182&amp;name=probe_events_carbon.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=2250&amp;height=228&amp;name=probe_events_carbon.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/probe_events_carbon.jpg?width=2700&amp;height=273&amp;name=probe_events_carbon.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>3. Using the right format for each event type, the kernel will create the probe for you with the required options.&nbsp;</p>
<p><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/myprobe_carbon.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=900&amp;height=239&amp;name=myprobe_carbon.jpg" alt="myprobe_carbon" width="900" height="239" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=450&amp;height=120&amp;name=myprobe_carbon.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=900&amp;height=239&amp;name=myprobe_carbon.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=1350&amp;height=359&amp;name=myprobe_carbon.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=1800&amp;height=478&amp;name=myprobe_carbon.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=2250&amp;height=598&amp;name=myprobe_carbon.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/myprobe_carbon.jpg?width=2700&amp;height=717&amp;name=myprobe_carbon.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>4. Then you’ll need to open the Perf event using the <span style="font-family: 'Courier New', Courier, monospace;">perf_event_open() syscall</span>, and provide it with the id of the probe you created earlier.</p>
<p>While there are little apparent differences between the legacy creation of <span style="font-family: 'Courier New', Courier, monospace;">k(ret)probes/u(ret)probes</span> and invoking the <span style="font-family: 'Courier New', Courier, monospace;">perf_event_open() syscall</span>, one difference that should be known to the user (i.e. the monitoring tool), is the event name, as mentioned below:</p>
<ul>
<li>In the legacy option, the name for the Perf event is the name of the <span style="font-family: 'Courier New', Courier, monospace;">k(ret)probe/u(ret)probe</span> given by the user in the tracefs.</li>
<li>In the syscall option it is set by the kernel.</li>
</ul>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Step 2: eBPF program </span></p>
<p>As for eBPF programs and the 5 Pref events in focus <span style="font-family: 'Courier New', Courier, monospace;">(tracepoint</span>, <span style="font-family: 'Courier New', Courier, monospace;">k(ret)probe or u(ret)probe)</span>, there are two relevant program types:</p>
<ul>
<li><span style="font-family: 'Courier New', Courier, monospace;">BPF_PROG_TYPE_TRACEPOINT </span>- for Perf event of type tracepoint</li>
<li><span style="font-family: 'Courier New', Courier, monospace;">BPF_PROG_TYPE_KPROBE</span><span style="background-color: transparent;"> - for Perf event of type k(ret)probe or u(ret)probe.</span></li>
</ul>
<p>Loading an eBPF program is done using the <span style="font-family: 'Courier New', Courier, monospace;">bpf() syscall</span> with <span style="font-family: 'Courier New', Courier, monospace;">“BPF_PROG_LOAD”</span> command. In this case the program is of type <span style="font-family: 'Courier New', Courier, monospace;">“BPF_PROG_TYPE_KPROBE”</span>.&nbsp;<br><br><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/bpf_prog_load_carbon-1.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=900&amp;height=58&amp;name=bpf_prog_load_carbon.jpg" alt="bpf_prog_load_carbon" width="900" height="58" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=450&amp;height=29&amp;name=bpf_prog_load_carbon.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=900&amp;height=58&amp;name=bpf_prog_load_carbon.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=1350&amp;height=87&amp;name=bpf_prog_load_carbon.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=1800&amp;height=116&amp;name=bpf_prog_load_carbon.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=2250&amp;height=145&amp;name=bpf_prog_load_carbon.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/bpf_prog_load_carbon.jpg?width=2700&amp;height=174&amp;name=bpf_prog_load_carbon.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p style="font-weight: bold;"><span style="text-decoration: underline;">Step 3: Attaching eBPF to Perf </span></p>
<p>For kernel version 5.7 and above, you can utilize the <span style="font-family: 'Courier New', Courier, monospace;">bpf() syscall </span>to link between the eBPF program you just loaded and the Pref event. All you need to do is to use the <span style="font-family: 'Courier New', Courier, monospace;">bpf() syscall</span> command <span style="font-family: 'Courier New', Courier, monospace;">“BPF_LINK_CREATE”</span>. For older kernel versions that do not support this command, however, you need to use the <span style="font-family: 'Courier New', Courier, monospace;">ioctl() syscall</span> with the command <span style="font-family: 'Courier New', Courier, monospace;">“PERF_EVENT_IOC_SET_BPF”</span>.&nbsp;</p>
<p>In newer kernel versions, both options are available, and provide the same result of triggering the eBPF program when the Perf event hits. &nbsp;</p>
<p>A nice example of that is implemented in libbpf which takes care of this process:<br><br><a href="https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/elixir_libbpf.jpg" rel="noopener" target="_blank"><img src="https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=900&amp;height=451&amp;name=elixir_libbpf.jpg" alt="elixir_libbpf" width="900" height="451" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=450&amp;height=226&amp;name=elixir_libbpf.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=900&amp;height=451&amp;name=elixir_libbpf.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=1350&amp;height=677&amp;name=elixir_libbpf.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=1800&amp;height=902&amp;name=elixir_libbpf.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=2250&amp;height=1128&amp;name=elixir_libbpf.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/elixir_libbpf.jpg?width=2700&amp;height=1353&amp;name=elixir_libbpf.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></a></p>
<p>(<a href="https://elixir.bootlin.com/linux/v6.3.7/source/tools/lib/bpf/libbpf.c#L9750)">https://elixir.bootlin.com/linux/v6.3.7/source/tools/lib/bpf/libbpf.c#L9750) </a></p>
<p>If the kernel supports <span style="font-family: 'Courier New', Courier, monospace;">“BPF_LINK_CREATE”</span>, it uses this option to create the link, otherwise, it uses ioctl() with <span style="font-family: 'Courier New', Courier, monospace;">“PERF_EVENT_IOC_SET_BPF"</span>.</p>
<h3>Combining the eBPF and Pref events data</h3>
<p>Now we can merge the Perf events data (which stores information about the event symbol name and whether it’s a kprobe or a uprobe, whether it’s a return probe) and the eBPF data (eBPF program name, eBPF helpers… etc) into the full picture of how eBPF program is instrumenting the kernel.</p>
<h3>Aqua Tracee – Out-of-the-box detection</h3>
<p>After we learned to combine the outputs of eBPF and Perf events, we implemented this knowledge into <a href="https://www.aquasec.com/products/tracee/" rel="noopener" target="_blank">Aqua Tracee</a>, to detect malicious tools that are using eBPF to monitor the system.</p>
<p>Below you can see a screenshot of a detection of Pamspy in Tracee. As mentioned above, this eBPF malware is designed to collect passwords by hooking to the <span style="font-family: 'Courier New', Courier, monospace;">'pam_get_authtok function' </span>from <span style="font-family: 'Courier New', Courier, monospace;">‘libpam.so’</span>. In the detection below you can see the eBPF program name <span style="font-family: 'Courier New', Courier, monospace;">‘trace_pam_get_a’</span> (it is truncated in the kernel). It is attached to a <span style="font-family: 'Courier New', Courier, monospace;">‘uretprobe’</span> – user-space return probe. The <span style="font-family: 'Courier New', Courier, monospace;">‘uretprobe’</span> is on user-space library <span style="font-family: 'Courier New', Courier, monospace;">‘/lib/x86_64-linux-gnu/libpam.so.0’</span> with the offset 34992 which leads to <span style="font-family: 'Courier New', Courier, monospace;">‘pam_get_authtok’</span> function with the clear text username and password. &nbsp;</p>
<p><img src="https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=900&amp;height=146&amp;name=bpf_attach_pamspy_carbon.jpg" alt="bpf_attach_pamspy_carbon" width="900" height="146" loading="lazy" style="height: auto; max-width: 100%; width: 900px;" srcset="https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=450&amp;height=73&amp;name=bpf_attach_pamspy_carbon.jpg 450w, https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=900&amp;height=146&amp;name=bpf_attach_pamspy_carbon.jpg 900w, https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=1350&amp;height=219&amp;name=bpf_attach_pamspy_carbon.jpg 1350w, https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=1800&amp;height=292&amp;name=bpf_attach_pamspy_carbon.jpg 1800w, https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=2250&amp;height=365&amp;name=bpf_attach_pamspy_carbon.jpg 2250w, https://blog.aquasec.com/hs-fs/hubfs/bpf_attach_pamspy_carbon.jpg?width=2700&amp;height=438&amp;name=bpf_attach_pamspy_carbon.jpg 2700w" sizes="(max-width: 900px) 100vw, 900px"></p>
<p>You can read more about the Tracee event bpf_attach, <a href="https://aquasecurity.github.io/tracee/v0.16/docs/events/builtin/extra/bpf_attach/" rel="noopener" target="_blank">here</a>.&nbsp;</p>
<div class="hs-embed-wrapper"><div class="hs-embed-content-wrapper"><div class="trd-ph-embedded" data-id="ac25252f-46f9-4952-bdc4-33b23e371131">&nbsp;</div></div></div>
<p>&nbsp;</p></span>
      </div>

      <div class="authors_placeholder">
        <div id="hs_cos_wrapper_module_16786962871161532" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
<div class="hs-author-profile  hs-author-profile-with-avatar">
   <div class="hs-author-avatar">
    <a href="/author/roi-kol" style="width: 120px; height: 120px; background: white; border-radius: 50%; display: flex; align-items: center; justify-content: center;">
      <img src="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=120&amp;height=120&amp;name=Roi%20Kol.jpg" alt="Picture of Roi Kol" height="120" width="120" srcset="https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=60&amp;height=60&amp;name=Roi%20Kol.jpg 60w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=120&amp;height=120&amp;name=Roi%20Kol.jpg 120w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=180&amp;height=180&amp;name=Roi%20Kol.jpg 180w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=240&amp;height=240&amp;name=Roi%20Kol.jpg 240w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=300&amp;height=300&amp;name=Roi%20Kol.jpg 300w, https://1665891.fs1.hubspotusercontent-na1.net/hub/1665891/hubfs/Roi%20Kol.jpg?width=360&amp;height=360&amp;name=Roi%20Kol.jpg 360w" sizes="(max-width: 120px) 100vw, 120px">
    </a>
  </div> 
  <a href="/author/roi-kol"><h4 class="hs-author-name">Roi Kol</h4></a>
  <div class="hs-author-bio">Roi is a Security Researcher at Aqua. His work focuses on researching threats in the cloud native world. When not at work, Roi is a B.A. student in Computer Science at the Open University. He also enjoys going out into nature and spending time with family and friends.</div>
  
</div>

  
</div>
      </div>

      <div id="hubspot-author_data" class="hubspot-editable" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author">
        
        <p id="hubspot-topic_data">
          
          <a class="topic-link" href="https://blog.aquasec.com/topic/security-threats">Security Threats</a>,
          
          <a class="topic-link" href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks</a>
          
        </p>
        

         
      </div>

    </div>
  </div>
</div>
</div>

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-4 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_html " style="" data-widget-type="raw_html" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_1490700955681800" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_raw_html" style="" data-hs-cos-general-type="widget" data-hs-cos-type="raw_html"><div class="trd-ph-embedded" data-group="recommend"></div></span>
</div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-5 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_comments " style="" data-widget-type="blog_comments" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_blog_comments" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_comments" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_comments">
<div class="section post-footer">
    <div id="comments-listing" class="new-comments"></div>
    
      <div id="hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"></div>
      
      
      
      
    
</div>

</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-6 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja social_floats_custom" style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<style type="text/css">
  .blog-content {position:relative;}
  
	.social_float_wrap {display:block;position:absolute;left:-60px;top:220px;opacity:0;transition:opacity 0.3s ease;}
	.social_float_wrap.float_fixed {position:fixed;left:initial;margin-left:-60px;opacity:1;}
	.social_float_wrap .social_float {}
	.social_float_wrap .social_float .social_float_link {display:block;width:40px;height:40px;background-size:40px 40px;background-color:#ffffff;border:2px solid #1904da;border-radius:50%;transition:all 0.3s ease;margin-bottom:8px;}
	.social_float_wrap .social_float .social_float_link:hover {background-color:#1904da;}
	.social_float_wrap .social_float .social_float_link svg {fill:#1904da;transition:background-color 0.3s ease;}
	.social_float_wrap .social_float .social_float_link:hover svg {fill:#ffffff;}
  
</style>

<script type="text/javascript">

document.addEventListener("DOMContentLoaded", function(){
//jQuery(document).ready(function($) {
  const $ = jQuery;
  var fixedSocialBtns = $('.social_float_wrap')[0].offsetTop;
  $(document).bind('ready scroll',function() {
    var docScroll = $(document).scrollTop();
    if(docScroll >= fixedSocialBtns) {
      $('.social_float_wrap').addClass('float_fixed');
    } else {
      $('.social_float_wrap').removeClass('float_fixed');
    }
  });
  
  $('.social_float a').click(function() {
    window.open($(this).attr('href'),'title', 'toolbar=no,scrollbars=no,resizable=yes,width=600,height=580');
    return false;
  });
});
  
</script>

<div class="social_float_wrap">
  <div class="social_float">
    <a target="_blank" href="http://www.facebook.com/sharer/sharer.php?u=https://blog.aquasec.com/detecting-ebpf-malware-with-tracee" class="social_float_link facebook" aria-label="Visit Facebook page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M13.69,24.903h3.679V15.999h2.454l.325-3.068H17.369l.004-1.536c0-.8.076-1.229,1.224-1.229h1.534V7.097H17.676c-2.949,0-3.986,1.489-3.986,3.992v1.842H11.852V16H13.69Z" /></svg></a>
    <a target="_blank" href="http://twitter.com/share?url=https://blog.aquasec.com/detecting-ebpf-malware-with-tracee&amp;text=Detecting%20eBPF%20Malware%20with%20Tracee" class="social_float_link twitter" aria-label="Visit Twitter page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M18.226,8.886a3.68371,3.68371,0,0,0-2.481,3.704l.038.63-.636-.077a10.34519,10.34519,0,0,1-6.056-2.984l-.84-.836-.215.617a3.71807,3.71807,0,0,0,.789,3.808c.509.54.394.617-.483.296a1.48373,1.48373,0,0,0-.598-.141,4.61571,4.61571,0,0,0,.458,1.724,4.11357,4.11357,0,0,0,1.743,1.647l.624.296-.739.011c-.712,0-.738.013-.661.284a3.84668,3.84668,0,0,0,2.379,2.11l.789.27-.687.412a7.122,7.122,0,0,1-3.41.951,3.75229,3.75229,0,0,0-1.044.103,9.7499,9.7499,0,0,0,2.455,1.132,10.73645,10.73645,0,0,0,8.346-.952,11.17993,11.17993,0,0,0,4.237-4.992,13.25968,13.25968,0,0,0,.865-3.858c0-.592.038-.669.75-1.376a8.556,8.556,0,0,0,.891-.99c.128-.245.114-.245-.534-.026-1.081.386-1.234.335-.699-.244a3.75511,3.75511,0,0,0,.865-1.376c0-.038-.191.026-.407.141a6.97889,6.97889,0,0,1-1.12.437l-.687.219L21.535,9.4a5.18982,5.18982,0,0,0-1.081-.566A4.34487,4.34487,0,0,0,18.226,8.886Z" /></svg></a>
    <a target="_blank" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://blog.aquasec.com/detecting-ebpf-malware-with-tracee&amp;title=Detecting%20eBPF%20Malware%20with%20Tracee" class="social_float_link linkedin" aria-label="Visit LinkedIn page"><svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 32 32"><path d="M24.299,22.932V16.795c0-3.288-1.755-4.818-4.096-4.818a3.52865,3.52865,0,0,0-3.206,1.768V12.228H13.439c.047,1.005,0,10.704,0,10.704h3.558V16.954a2.43146,2.43146,0,0,1,.117-.867,1.94665,1.94665,0,0,1,1.825-1.301c1.288,0,1.803.981,1.803,2.42v5.727l3.557-.001ZM9.69,10.767a1.8553,1.8553,0,1,0,.023-3.699,1.85409,1.85409,0,1,0-.045,3.698H9.69Zm1.779,12.165V12.228H7.912V22.932Z" /></svg></a>
  </div>
</div>
</div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
<div class="span3 widget-span widget-type-cell blog-sidebar" style="" data-widget-type="cell" data-x="9" data-w="3">

<div class="row-fluid-wrapper row-depth-1 row-number-7 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-blog_subscribe " style="" data-widget-type="blog_subscribe" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_14538258496742317" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="blog_subscribe"><h3 id="hs_cos_wrapper_module_14538258496742317_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text">Subscribe to Email Updates</h3>

<div id="hs_form_target_module_14538258496742317_4137"></div>



</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-8 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_1550141167854489" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module">
  


<span id="hs_cos_wrapper_module_1550141167854489_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_listing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_listing"><div class="block">
  <h3>Popular Posts</h3>
  <div class="widget-module">
    <ul class="hs-hash-1248747767-1692374681556">
    </ul>
  </div>
</div>
</span></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-9 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-post_filter " style="" data-widget-type="post_filter" data-x="0" data-w="12">
<div class="cell-wrapper layout-widget-wrapper">
<span id="hs_cos_wrapper_module_146324971355825147" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_post_filter" style="" data-hs-cos-general-type="widget" data-hs-cos-type="post_filter"><div class="block">
  <h3>Filter by Topic</h3>
  <div class="widget-module">
    <ul>
      
        <li>
          <a href="https://blog.aquasec.com/topic/container-security">Container Security <span class="filter-link-count" dir="ltr">(111)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/kubernetes-security">Kubernetes Security <span class="filter-link-count" dir="ltr">(94)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/security-threats">Security Threats <span class="filter-link-count" dir="ltr">(86)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/cloud-native-security">Cloud Native Security <span class="filter-link-count" dir="ltr">(81)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/image-vulnerability-scanning">Image Vulnerability Scanning <span class="filter-link-count" dir="ltr">(49)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aqua-open-source">Aqua Open Source <span class="filter-link-count" dir="ltr">(47)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/aws-security">AWS Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/docker-security">Docker Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/runtime-security">Runtime Security <span class="filter-link-count" dir="ltr">(35)</span></a>
        </li>
      
        <li>
          <a href="https://blog.aquasec.com/topic/vulnerability-management">Vulnerability Management <span class="filter-link-count" dir="ltr">(34)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cspm">CSPM <span class="filter-link-count" dir="ltr">(25)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/software-supply-chain-security">Software Supply Chain Security <span class="filter-link-count" dir="ltr">(25)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-compliance">Cloud compliance <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-vulnerability">Container Vulnerability <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/devsecops">DevSecOps <span class="filter-link-count" dir="ltr">(24)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/aqua-security">Aqua Security <span class="filter-link-count" dir="ltr">(17)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ci-cd">CI/CD <span class="filter-link-count" dir="ltr">(17)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cnapp">CNAPP <span class="filter-link-count" dir="ltr">(16)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secrets">Secrets <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/supply-chain-attacks">Supply Chain Attacks <span class="filter-link-count" dir="ltr">(12)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/application-security">Application Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/serverless-security">Serverless-Security <span class="filter-link-count" dir="ltr">(11)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ebpf">ebpf <span class="filter-link-count" dir="ltr">(10)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/host-security">Host Security <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes">Kubernetes <span class="filter-link-count" dir="ltr">(9)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-malware-protection">Advanced malware protection <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security-conferences">Cloud security conferences <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/fargate">Fargate <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/malware-attacks">Malware Attacks <span class="filter-link-count" dir="ltr">(8)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-workload-protection-platform-cwpp">Cloud Workload Protection Platform CWPP <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/hybrid-cloud-security">Hybrid Cloud Security <span class="filter-link-count" dir="ltr">(7)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/attack-vector">Attack Vector <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-platforms">Container platforms <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/google-cloud-security">Google cloud security <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/openshift">OpenShift <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/sboms">SBOMs <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/secure-vm">Secure VM <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-policy">Security Policy <span class="filter-link-count" dir="ltr">(6)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/infrastructure-as-code-iac">Infrastructure-as-Code (IaC) <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/security-automation">Security Automation <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/windows-containers">Windows Containers <span class="filter-link-count" dir="ltr">(5)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/azure-security">Azure security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-security">Cloud security <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/docker-containers">Docker containers <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-rbac">Kubernetes RBAC <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/service-mesh">Service Mesh <span class="filter-link-count" dir="ltr">(4)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/container-deployment">Container Deployment <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/ibm-cloud">IBM Cloud <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/microservices">Microservices <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/nano-segmentation">Nano-Segmentation <span class="filter-link-count" dir="ltr">(3)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/agentless-security">Agentless Security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/faas">FaaS <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network-firewall">Network Firewall <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/vmware-tanzu">VMware Tanzu <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/code-security">code security <span class="filter-link-count" dir="ltr">(2)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/advanced-threat-mitigation">Advanced Threat Mitigation <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/cloud-vm">Cloud VM <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/drift-prevention">Drift Prevention <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/kubernetes-authorization">Kubernetes Authorization <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/network">Network <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
        <li style="display:none;">
          <a href="https://blog.aquasec.com/topic/shift-left-security">shift Left security <span class="filter-link-count" dir="ltr">(1)</span></a>
        </li>
      
    </ul>
    
      <a class="filter-expand-link" href="#">Show more...</a>
    
  </div>
</div>
</span></div><!--end layout-widget-wrapper -->
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end body -->
</div><!--end body wrapper -->

<div class="footer-container-wrapper">
    <div class="footer-container container-fluid">

<div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-raw_jinja " style="" data-widget-type="raw_jinja" data-x="0" data-w="12">
<script type="application/ld+json">
 {
     "@context": "http://schema.org",
     "@type": "BlogPosting",
     "headline": "Detecting eBPF Malware with Tracee",
     "image": {
          "@type": "ImageObject",
          "url": "https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/ebpf-blog-2023-1-1200x582.jpg"
     },
     "datePublished": "2023-07-19 12:30:46",
     "dateModified": "July 20, 2023, 6:05:27 PM",
     "author": {
         "@type": "Person",
         "name": "Roi Kol"
     },
     "publisher": {
         "@type": "Organization",
         "name": "Aqua Security",
         "logo": {
             "@type": "ImageObject",
             "url": "https://f.hubspotusercontent40.net/hubfs/1665891/SVG__2020%20Aqua%20Logo%20Color.svg"
         }
     },
     "description": "BPF is a popular and powerful technology embedded in the Linux kernel and can potentially be used by threat actors as part of their malicious arsenal."
 }
 </script></div><!--end widget-span -->

</div><!--end row-->
</div><!--end row-wrapper -->

<div class="row-fluid-wrapper row-depth-1 row-number-2 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-global_group " style="" data-widget-type="global_group" data-x="0" data-w="12">
<div class="" data-global-widget-path="generated_global_groups/7516015189.html"><div class="row-fluid-wrapper row-depth-1 row-number-1 ">
<div class="row-fluid ">
<div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12">
<div id="hs_cos_wrapper_module_153895222154164" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="container-fluid footer_wrap">
<div class="page-center footer_widgets_wrap">
<div class="span5 footer_1">
<div class="row">
<a class="footer_logo" href="https://www.aquasec.com" title="Aqua Container Security">Aqua Container Security</a>
</div>
<div class="row">
<ul>
<div id="text-2" class="widget widget_text">			
<div class="textwidget"><p>Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed.</p><p>Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.</p>
</div>
</div>
</ul>
</div>
<div class="row-fluid social_links_wrap">
<a href="https://www.facebook.com/AquaSecTeam" class="social_link facebook" target="_blank" title="facebook"></a>
<a href="https://twitter.com/AquaSecTeam" class="social_link twitter" target="_blank" title="twitter"></a>
<a href="https://www.linkedin.com/company/aquasecteam" class="social_link linkedin" target="_blank" title="linkedin"></a>
<a href="https://www.youtube.com/c/AquasecTeam" class="social_link youtube" target="_blank" title="youtube"></a>
</div>
<div class="row-fluid small">Copyright © 2023 Aqua Security Software Ltd.</div>
</div>
<div class="span3 col-md-offset-1 footer_2">
<ul>
<div id="nav_menu-2" class="widget widget_nav_menu">
<div class="widget_title">Use Cases</div>
<div class="menu-use-cases-container">
<ul id="menu-use-cases" class="menu">
<li><a href="https://www.aquasec.com/use-cases/devops-security/">Automate DevSecOps</a></li>
<li><a href="https://www.aquasec.com/products/container-security/">Modernize Security</a></li>
<li><a href="https://www.aquasec.com/use-cases/container-auditing-compliance/">Compliance and Auditing</a></li>
<li><a href="https://www.aquasec.com/products/serverless-container-functions/">Serverless Containers &amp; Functions</a></li>
<li><a href="https://www.aquasec.com/use-cases/multi-cloud-and-hybrid-cloud/">Hybrid and Multi Cloud</a></li>
</ul>
</div>
</div>
<div id="nav_menu-9" class="widget widget_nav_menu">
<div class="widget_title">Environments</div>
<div class="menu-environments-container">
<ul id="menu-environments" class="menu">
<li><a href="https://www.aquasec.com/products/kubernetes-security/">Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/solutions/red-hat-openshift-container-security/">OpenShift Security</a></li>
<li><a href="https://www.aquasec.com/solutions/docker-container-security/">Docker Security</a></li>
<li><a href="https://www.aquasec.com/solutions/aws-container-security/">AWS Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/azure-container-security/">Azure Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/google-cloud-kubernetes-security/">Google Cloud Security</a></li>
<li><a href="https://www.aquasec.com/solutions/vmware-pks-security/">VMware PKS Security</a></li>
</ul>
</div>
</div>
<div id="nav_menu-4" class="widget widget_nav_menu">
<div class="widget_title">Contact Us</div>
<div class="menu-partners-container">
<ul id="menu-partners" class="menu">
<li><a href="https://www.aquasec.com/about-us/contact-us/">Contact Us</a></li>
<li><a href="https://success.aquasec.com/#/">Contact Support</a></li>
</ul>
</div></div>
</ul>
</div>
<div class="span3 col-xs-6 footer_3">
<ul>
<div id="nav_menu-3" class="widget widget_nav_menu">
<div class="widget_title">Products</div>
<div class="menu-products-container">
<ul id="menu-products" class="menu">
<li><a href="https://www.aquasec.com/aqua-cloud-native-security-platform/">Aqua Cloud native security</a></li>
<li><a href="https://www.aquasec.com/products/open-source-projects/">Open Source Container Security</a></li>
<li><a href="https://www.aquasec.com/integrations/">Platform Integrations</a></li>
</ul>
</div>
</div>
<div id="nav_menu-8" class="widget widget_nav_menu">
<div class="widget_title">Resources</div>
<div class="menu-resources-container">
<ul id="menu-resources" class="menu">
<li><a href="https://www.aquasec.com/resources/virtual-container-security-channel/">Live Webinars</a></li>
<li><a href="https://info.aquasec.com/kubernetes-security">O’Reilly Book: Kubernetes Security</a></li>
<li><a href="https://www.aquasec.com/cloud-native-academy/">Cloud native Wiki</a></li>
</ul>
</div>
</div>
<div id="nav_menu-6" class="widget widget_nav_menu">
<div class="widget_title">About Us</div>
<div class="menu-about-us-container">
<ul id="menu-about-us" class="menu">
<li><a href="https://www.aquasec.com/about-us/">About Aqua</a></li>
<li><a href="https://www.aquasec.com/about-us/news/">Newsroom</a></li>
<li><a href="https://www.aquasec.com/about-us/careers/">Careers</a></li>
</ul>
</div>
</div>
</ul>
</div>
<div class="footer_cubes"></div>
<div class="footer_wrap_top_waves"></div>
<div class="footer_wrap_sunrays"></div>
</div>
</div></div>

</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->
</div>
</div><!--end widget-span -->
</div><!--end row-->
</div><!--end row-wrapper -->

    </div><!--end footer -->
</div><!--end footer wrapper -->

    
<!-- HubSpot performance collection script -->
<script defer src="https://static.hsappstatic.net/content-cwv-embed/static-1.388/embed.js"></script>
<script>
var hsVars = hsVars || {}; hsVars['language'] = 'en-us';
</script>

<script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script>
<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/comment_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateCommentsFeed() {
    var options = {
      commentsUrl: "https://api-na1.hubapi.com/comments/v3/comments/thread/public?portalId=1665891&offset=0&limit=1000&contentId=125114926183&collectionId=3657573699",
      maxThreadDepth: 1,
      showForm: true,
      
      skipAssociateContactReason: 'blogComment',
      disableContactPromotion: true,
      
      target: "hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
    };
    window.hsPopulateCommentsFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateCommentsFeed();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateCommentsFeed);
  }

</script>


          <!--[if lte IE 8]>
          <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
          <![endif]-->
      
<script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script>

        <script data-hs-allowed="true">
            hbspt.forms.create({
                portalId: '1665891',
                formId: 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c',
                pageId: '125114926183',
                region: 'na1',
                pageName: "Detecting eBPF Malware with Tracee",
                contentType: 'blog-post',
                
                formsBaseUrl: '/_hcms/forms/',
                
                
                
                css: '',
                target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c",
                type: 'BLOG_COMMENT',
                
                submitButtonClass: 'hs-button primary',
                formInstanceId: '7369',
                getExtraMetaDataBeforeSubmit: window.hsPopulateCommentFormGetExtraMetaDataBeforeSubmit
            });

            window.addEventListener('message', function(event) {
              var origin = event.origin; var data = event.data;
              if ((origin != null && (origin === 'null' || document.location.href.toLowerCase().indexOf(origin.toLowerCase()) === 0)) && data !== null && data.type === 'hsFormCallback' && data.id == 'bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c') {
                if (data.eventName === 'onFormReady') {
                  window.hsPopulateCommentFormOnFormReady({
                    successMessage: "your comment has been received.",
                    target: "#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
                  });
                } else if (data.eventName === 'onFormSubmitted') {
                  window.hsPopulateCommentFormOnFormSubmitted();
                }
              }
            });
        </script>
      

    <!--[if lte IE 8]>
    <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script>
    <![endif]-->


  <script data-hs-allowed="true">
      hbspt.forms.create({
          portalId: '1665891',
          formId: 'fc3a461b-474b-4bd2-b409-c41d4ec09d8a',
          formInstanceId: '4137',
          pageId: '125114926183',
          region: 'na1',
          
          pageName: 'Detecting eBPF Malware with Tracee',
          
          contentType: 'blog-post',
          
          formsBaseUrl: '/_hcms/forms/',
          
          
          inlineMessage: "Thanks for Subscribing!",
          
          css: '',
          target: '#hs_form_target_module_14538258496742317_4137',
          
          formData: {
            cssClass: 'hs-form stacked'
          }
      });
  </script>

<script src="/hs/hsstatic/AsyncSupport/static-1.122/js/post_listing_asset.js"></script>
<script>
  function hsOnReadyPopulateListingFeed_1248747767_1692374681556() {
    var options = {
      'id': "1248747767-1692374681556",
      'listing_url': "/_hcms/postlisting?blogId=3657573699&maxLinks=5&listingType=popular_all_time&orderByViews=true&hs-expires=1723910681&hs-version=2&hs-signature=AJ2IBuFS8zn-uwTQay-zRWCbXINT-wTKNw",
      'include_featured_image': false
    };
    window.hsPopulateListingFeed(options);
  }

  if (document.readyState === "complete" ||
      (document.readyState !== "loading" && !document.documentElement.doScroll)
  ) {
    hsOnReadyPopulateListingFeed_1248747767_1692374681556();
  } else {
    document.addEventListener("DOMContentLoaded", hsOnReadyPopulateListingFeed_1248747767_1692374681556);
  }
</script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="https://blog.aquasec.com/hs-fs/hub/1665891/hub_generated/template_assets/7511165868/1575250830489/Coded_files/Custom/page/Aqua_Theme_2019/aqua_theme_2019_scripts.js"></script>

<!-- Start of HubSpot Analytics Code -->
<script type="text/javascript">
var _hsq = _hsq || [];
_hsq.push(["setContentType", "blog-post"]);
_hsq.push(["setCanonicalUrl", "https:\/\/blog.aquasec.com\/detecting-ebpf-malware-with-tracee"]);
_hsq.push(["setPageId", "125114926183"]);
_hsq.push(["setContentMetadata", {
    "contentPageId": 125114926183,
    "legacyPageId": "125114926183",
    "contentFolderId": null,
    "contentGroupId": 3657573699,
    "abTestId": null,
    "languageVariantId": 125114926183,
    "languageCode": "en-us",
    
}]);
</script>

<script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/1665891.js"></script>
<!-- End of HubSpot Analytics Code -->


<script type="text/javascript">
var hsVars = {
    render_id: "444dc897-639a-453b-816e-bc78f01804bf",
    ticks: 1692374681511,
    page_id: 125114926183,
    
    content_group_id: 3657573699,
    portal_id: 1665891,
    app_hs_base_url: "https://app.hubspot.com",
    cp_hs_base_url: "https://cp.hubspot.com",
    language: "en-us",
    analytics_page_type: "blog-post",
    analytics_page_id: "125114926183",
    category_id: 3,
    folder_id: 0,
    is_hubspot_user: false
}
</script>


<script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.191/js/index.js"></script>



<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5N9T3H" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->




    


    <!-- Generated by the HubSpot Template Builder - template version 1.03 -->

</body></html>